Re: [mod-security-users] mod_security blocking many PHPMyAdmin functions

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On 5/22/06, Kai Schaetzl <mai...@co...> wrote:
> The match is correct, it contains a "select ... from" statement. (BTW, no=
 other
> method to find the correct rule than searching for the pattern, right?)

No, unless you have assigned unique IDs to each of your rules. (Which,
for example, I did for the Certified ModSecurity Rules.)

> Ok, it's not this rule that hit. That also explains why the message wasn'=
t
> noted above. I searched all the rules files but I didn't search the main
> mod_security.conf that (I think) came with mod_security.
> There are these rules:
>     # Very crude filters to prevent SQL injection attacks
>      SecFilter "delete[[:space:]]+from"
>      SecFilter "insert[[:space:]]+into"
>      SecFilter "select.+from"
> and it's the last one that gets triggered.
> It seems all three rules are encompassed by the SQL Injection rules in
> rules.conf as quoted in my first posting. So, if I keep rules.conf I
> could probably delete those three, right?

Yes, probably.

> If I wanted to add an exclusion for the simple rule above I would do this=
 like that:
> SecFilter "select.+from" "id:uniqueid,rev:x,severity:x,msg:'message'"
> is that correct?

Exclusion? No, that is a way to add a new rule.

> BTW, while viewing over the documentation I found some links to your webk=
reator.com
> site and read some of the old PHP articles. However, the Techniques secti=
on doesn't show the single articles, there seems to be some error with the =
template.

Thanks, I'll look into that.

> I'm now trying to understand how the chaining works. Documentation doesn'=
t say anything
> about finishing it so I suppose the chaining works only for the next line=
 after the
> chain action?

Yes.

> Is it limited to one line or can I add more lines to a chain by
> adding the chain action to all of them except the last one?

There's no limit, you can chain any number of rules together.

--=20
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall